Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

They should have thought of that before abusing these things to fingerprint us. Use of the GPU is a privilege and it can be revoked.


I sometimes unironically say that JavaScript is a privilege that should only be granted to websites that actually need it. Most of the web is text and images. No Turing-complete client-side runtime environment is required to display that.

But I would also accept all those multimedia APIs (canvas, WebGL, WebGPU, everything audio and video, including the <video> tag) and some others (e.g. service workers and everything else app-like) requiring a permission. Again, most websites don't need them, so given the abuse potential, there's no reason why they should be openly available.


You have noscript to block all that but it breaks the most simple sites these days. Part of it is legitimate like responsive design (though most can be done with css these days).

But most of it is bullshit tracking, anti-scraping and similar stuff.


Responsive sites could’ve been done with css a decade ago too. IIRC Even IE6 has some support for flexbox and media queries. but people would rather pick up react and have a pile of js do it for them.


IE6 was EOL before flexbox was a thing, according to Wikipedia.


I may be thinking IE11 then.


You could just fingerprint the cpu then, every cpu behaves differently. Buy any number of the same CPU and you’ll see different aspects in every one of them.


This is why high-resolution timers are bad, but a website doesn't have the same level of access to the CPU as it does with something like webGPU.


there isn't a 'they' and an 'us' in this situation


"They" refers to web developers. "Us" refers to users. We are the owners of the machines where their code will run.

They have complete freedom on their servers. On my computer, I make the rules. They are lucky if I allow their code to run at all.


The point is that the "they" who abuse this and the "they" who use it for legitimate reasons usually aren't the same people, and so the "they" who abuse this have no incentive not to out of some concern about their legitimate uses being curtailed.


If "they" run ads which unfortunately most websites do then "they" are part of those who abuse the browser capabilities.


most websites don't, but google doesn't send you to those, but instead to the big ones that do


this is of course the ideal, but it is somewhat not to the point; as vidar says, the 'they' who are fingerprinting you have only a limited intersection with the 'they' who are doing awesome things with webgl like shadertoy or https://mitxela.com/projects/model-viewer, which doesn't even have google analytics

a somewhat bigger problem is that to a very significant extent the actual owners of the machines are microsoft, google, and apple, not the users; they make the rules, and the users are lucky if the owners allow their code to run at all. under those circumstances, blocking fingerprinting is practically quite difficult, because the 'they' who want to fingerprint you and the 'they' who make the rules about what code run on your machine are the same people, not two opposing groups

an additional problem is that an increasing part of the web is run by criminal elements like harvey weinstein and the rest of the mpaa, who will block you if they can detect you attempting to protect your privacy from them by blocking fingerprinting, even if apple decides it would be a good idea; cloudflare and google are perhaps the most prominent enforcers here, perhaps somewhat reluctantly




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: